Tech Firms Pledge Open-Source Support After Heartbleed

At least 10 large technology companies, including Google Inc., Facebook Inc. and Cisco Systems Inc., have pledged to invest at least $300,000 each in the next three years to maintain open-source software after the Heartbleed security bug exposed the lack of funding for such projects.

The Linux Foundation said today that it will get annual contributions of $100,000 from each company, with a minimum commitment of three years. The other companies are Dell Inc., Fujitsu Ltd., International Business Machines Corp., Intel Corp., Microsoft Corp., NetApp Inc. and VMware Inc. More are expected to join, said Jennifer Cloer, a spokeswoman at the foundation, which works to spread open-source software that helps power server computers and mobile devices.

The Linux Foundation said the first project under consideration to receive funds is OpenSSL, the encryption software that was revealed to have a vulnerability earlier this month that sent Internet companies racing to apply a fix. The flaw, discovered by researchers at Google and a cybersecurity firm in Finland called Codenomicon, could have let hackers pull data from the memory of computer servers, even over encrypted connections.

Bloomberg News reported that the National Security Agency had known about the bug for two years and regularly used it to gather intelligence. Canada’s revenue agency said hackers exploiting the flaw took 900 social security numbers.

Asymmetrical Relationship

Heartbleed also underscored an asymmetrical relationship that many technology companies have with open-source software, which has code that developers can customize. While companies use open-source programs heavily and contribute code back to the community, they often give very little money to the organizations responsible for maintaining the software. That can lead to funding gaps that let serious errors in programming code go unnoticed.

The Linux Foundation said the OpenSSL project has typically only received $2,000 a year in donations. Many open-source programmers are volunteers.

Heartbleed wasn’t as widespread as initially thought. Codenomicon researchers said it could have affected as many as two-thirds of the world’s almost 1 billion active websites. The company whose data that estimate was based on later said the figure was about 500,000, since not every site that could have used OpenSSL to enable secure communications did.